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Abstract 

Given an elliptic curve E over a finite field ¥ q of q elements, we 
say that an odd prime i \ q is an Elkies prime for E if t 2 E — Aq is a 
quadratic residue modulo £, where t& = q + 1 — #E(¥ q ) and #E(F q ) is 
the number of Fg-rational points on E. These primes are used in the 
presently most efficient algorithm to compute #E(W q ). In particular, 
the bound L q (E) such that the product of all Elkies primes for E up 
to L q {E) exceeds 4q 1//2 is a crucial parameter of this algorithm. We 
show that there are infinitely many pairs (p, E) of primes p and curves 
E over ¥ p with L p (E) > c log p log log log p for some absolute constant 
c > 0, while a naive heuristic estimate suggests that L p (E) ~ log p. 
This complements recent results of Galbraith and Satoh (2002), condi- 
tional under the Generalised Riemann Hypothesis, and of Shparlinski 
and Sutherland (2012), unconditional for almost all pairs (p,E). 



1 Introduction 

For an elliptic curve E over a finite field ¥ q of q elements we denote by #E(W q ) 
the number of F^-rational points on E and define the trace of Frobenius 
tE = Q + 1 — #E(F q ); we refer to [U [12] for a background on elliptic curves. 
We say that an odd prime i \ q is an Elkies prime for E if t% — 4g is a 
quadratic residue modulo £; otherwise l \ q is called an Atkin prime. 
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These primes play a key role in the Schoof-Elkies-Atkin (SEA) algorithm, 
see [TJ Sections 17.2.2 and 17.2.5], and their distribution affects the perfor- 
mance of this algorithm in a rather dramatic way. Thus, for an elliptic curve 
E over ¥ q , we define N a (E\ L) and N e (E; L) as the numbers of Atkin and 
Elkies primes £ G [l,L], respectively. Obviously, 

N a (E;L) + N e (E;L) = n(L) + 0(l), 

where tt(L) denotes the number of primes £ < L. Furthermore, for any 
elliptic curve over a finite field, one expects about the same number of Atkin 
and Elkies primes £ < L as L — > oo. That is, naive heuristic suggests that 

N a (E;L)^N e (E;L)^^ 7r (L), (1) 

as L — > oo. 

It has been noted by Galbraith and Satoh [TUl Appendix A], that under 
the Generalised Riemann Hypothesis (GRH), using the bound on sums of 
quadratic characters over primes, one derives that ([1]) holds for L > (logg) 2+e 
for any fixed e > and a sufficiently large q. 

The unconditional results are much weaker and essentially rely on our 
knowledge of the distribution of primes in arithmetic progressions; see [5j 
Section 5.9] or [HI Chapters 4 and 11]. However, for almost all pairs (p, E) of 
primes p and elliptic curves E over F p , Shparlinski and Sutherland [11] have 
established the asymtotic formula ([T]) for L > (logp) e for any fixed e > 0, 
that is, starting from much smaller values of L that those implied by the 
GRH. In particular, Let £e{p) be the set all Elkies primes for an elliptic 
curve E over ¥ p . We see that the prime number theorem and the result 
of [11] implies that for some function L(p) ~ logp for almost all pairs (p, E) 
we have 

I] £>Ap 1 / 2 . (2) 

3<e<L( P ) 

Note that this condition is crucial for the SEA point counting algorithm, 
see P Sections 17.2.2 and 17.2.5]. 

Here we show that this "almost all" result cannot be extended for all 
primes and curves even for a slightly larger values of L(p). More precisely, 
we show that there is an absolute constant c > such that for any function 
L(p) < c log p log log log p the inequality (J2J) fails in a very strong sense for 
infinitely many pairs (p, E). 
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Theorem 1. There is a constant c > so that for infinitely many pairs 
(p, E) of primes p and curves E over¥ p , and L < c log p log log log p we have 



n i= p' 



o(l) 



3<1<L 



We note that Galbraith and Satoh [10, Appendix A] have conjectured and 
actually presented some arguments supporting a result of this kind. More- 
over, under both the GRH and the conjecture that every positive integer 
n = 1 (mod 4) can be represented as n = Ap — t 2 the argument of Galbraith 
and Satoh [TUl Appendix A] can be made rigorous and in fact under these 
assumptions it allows to replace log p log log log p with log p log log p in The- 
orem [TJ Unfortunately, presently the required representation n = 4p — t 2 
is known to exist only for almost all n (see [2J [B]), which is not enough to 
complete the argument (even under the GRH). 

2 Preparations 

We recall the notations U = 0(V), V = Q(U), U < V and V > U, 
which are all equivalent to the statement that the inequality \U\ < cV holds 
asymptotically, with some constant c > 0. 

We always assume that i and p run through the prime values. 

For integers a and m > 2, we use (a/m) to denote a Jacobi symbol of 
a modulo m, see [SI Section 3.5]. We also use r(k) and fi(k) to denote the 
number of integer positive divisors and the Mobius function of k > 1. It is 
easy to see that for a square-free k we have 



where u(k) is the number of prime divisors of k. 

Our main tools are bounds of multiplicative character sums. 

The following estimate is a slight generalisation of [7J Lemma 2.2] and is 
also given in 

Lemma 2. For any integers a and T > 1 and a product m = i\ . . . i s of 

s > distinct odd primes £i, . . . , £ s with gcd(a, m) = 1 we have 



r(k) = 2 




< T/m + C s m 1/2 logm 



3 



for some absolute constant C > 1. 

We also need a slight extension of [3 Corollary 12.14]. In fact, we present 
it in much wider generality and strength than is needed for our purpose. 
First we note that for a square-free integer m and any integers u and v, we 
have 

gcd((w — v) 2 , m) = gcd(w — v , m). (3) 

Hence, in the case of quadratic polynomials, the bound of [SJ Theorem 12.10], 
implies the following results" 

Lemma 3. Assume that a square-free odd integer m > 3 and an arbitrary 
integer N > 1 are such that all prime factors of m are at most N 1 ' 9 . Then 
for any two integers u, v we have 



ST V) \ < AN (gcd( M - v, m)m- 1 r(mf +2 ^ 

71=1 ^ ' 



l/r2 r 



where r is any positive integer with N r > m 3 . 

Proof. As in the proof of [5J Corollary 12.14], we note that there is a factori- 
sation 

m = mi . . . m r 

with rrij < iV 4 / 9 , j — 1, . . . ,r. In particular, by [5., Theorem 12.10], recall- 
ing ([3]) , we see that for any j = 1 , . . . , r we have 



/ {n — u){n — v) 



E 

71=1 



rn 



< AN (gcd{u — v, mj)m- 1 T(mj) r2+2r j 



l/2 r 



Since m is square-free, we see that mi, . . . ,m r are relatively prime. Using 
the multiplicativity the divisor function, we obtain 

r 

| J gcd(u — v, mj)m~ 1 r(mj) r2+2r = gcd(u — v, m)m~ 1 T(m) r2+2r . 

3=1 

Therefore, for some j G {1, . . . , r} we have 

2 / 2 \ ^-l r 

gcd(w — v , m,j)m^ x r{m^) r +2r < (gcd(u — v,m)m~ 1 T(m) r +2r 
and the result now follows. □ 
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We remark that several more stronger and more general results of this 
type have recently been given by Chang [3J. 

Furthermore, we also recall the following classical results of Deuring [I] . 

Lemma 4. For any prime p and an integer t with \t\ < 2g 1//2 ; there is a 
curve E over ¥ p with #E(W P ) — p + 1 — t. 

3 Proof of Theorem H 

Let Q be a sufficiently large integer. We then set 

L = [0.3 log Q log log log Q\ , M — [log Q (log log log Q) _1 J , T = [Q 1/2 \ . 
Since, by the prime number theorem 

n t=Q° (i) i 

££<M 

we see from Lemma S] that it is enough to show that for any sufficiently large 
Q, there is an integer t £ [1, T] and a prime p G [Q/2,Q] such that 

< 2 - 4P Vl (4) 



for all primes £ G [M, L] . 

Clearly, if the condition (j3J) is violated, then 

nH^))-* 

te[M,L] v v 77 
Thus it is enough to show that the sum 

w= e e n (i- 

l<t<T Q/2<p<Q ie[M,L] v 



t 2 -Ap 



is positive, that is, that 

W > (5) 
for the above choice of L, M and T, provided that Q is sufficiently large. 
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Let M. be the set of 2 7r ( L )~ 7r ( M ) square-free products (including the empty 
product) composed out of primes t G [M, L], and let M* — M. \ {1}. We 
have 

't 2 - V 



w=y: e * h e ( ! 



Q/2<p<Q 

Changing the order of summation and separating the term T(jr(Q) — ir(Q/2)) 
corresponding to m — 1, we derive 



where 



Thus 



W = T(n(Q)-7r(Q/2))+ ]T ^(m)S( 

't 2 - Ap 



m) 



«-> ^ E E (^) 

KKT Q/2<p<Q v 



|S(m)|< £ 

Q/2<p<Q 



E 

KKT 



t 2 - 4p 



For m < T 1 / 4 we use Lemma [2] and note that 

C u(m) = r( - m )logC/log2 = m o(i) ; 

so we obtain 

S(m) < tt(Q) (T/m + C s m 1/2 logm) < n(Q)T/m. 
Thus for the contribution from all such sums we derive 

\S(m)\<*(Q)T l/m«7r(Q)r( J] f 1 + 7) 

i&M* m£M* \ee[M,L] ^ ' 

^i/4 m<T 1 /* X ' 



m<TV4 



Furthermore 



n H) = e -4+7) « e 7- 



ee[M,L] 



te[M,L] 



te[M,L] 



(6) 



1 (7) 
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By the Mertens theorem, see [5J Equation (2.15)], 
loeL 



E 7 = log 
= log 



+ 0(1/ log M) 



i£[M,L] 



logM 

log log Q + log log log log Q + log 0.3 



log log Q - log log log log Q 
log log log log Q 
log log Q 



0(1/ log M) 



Therefore 



log (^1 + 

log log log log Q 
log log Q 

1 



0(1/ log M) 



1 + 



n 

ee[M,L] 

Inserting this bound in (jTJ), we obtain 



log log log log Q 
log log Q 



ST \c/ m ^ z,™ kg log log log Q , 
2^ ^(m)! <7r(Q)r t— fTT^i = °WQ) r )- 



meM* 



log log Q 



(8) 



To estimate the sums S"(m) for m > T 1 / 4 , using the Cauchy inequality 
and then extending the summation range over all integers n < 4Q, we derive 

2 

't 2 - v 



\S(m)\ 2 = 7r(Q) 

Q/2<p<Q 



E 

KKT 



< *(Q) E 

n<4Q 



E 

KKT 



7T 



») E E ( 



m 

(s 2 -n)(t 2 -n) 



m 



If gcd(s 2 — t 2 ,m) > m 1 / 2 , we estimate the inner sum trivially as 0(Q). 
The total contribution from such pairs (s,t), is at most 



E E ^ E T(T/d + l)2 



d\m l<s,t<T d\m 

d>m>l 2 s 2 =t 2 (mod d) rf> m i/2 



(9) 



< T {T/m 1 ' 2 + 1) r( 
7 



m 



since for a square-free d, by the Chinese remainder theorem, any quadratic 
congruence of the form s 2 = a (mod d), 1 < s < d, has at most 
solutions. 

If gcd(s 2 — t 2 , m) < m 1//2 , we apply Lemma [3]to the inner sum, getting 



n<AQ 



(s 2 - n)(t 2 - n) 



l/r2 r 



< 16Q (g c d(s 2 — t 2 ,m)m 1 r(m 

< 16Q (m ; 2 ;(/// V 
for any positive integer r with 

(4Q) r > m 3 . 
Therefore, combining ([9]) and ( flOj) . we obtain 
S{m) 2 < 7r(g)gT (T/m 1/2 + l) r(m) 
+ vr(g)gT 2 (^m- 1/2 r(m 

Furthermore, for meMwe have 

r(m) < 2^ (L) = exp ^(log2 + o(l)) 



r 2 +2r 



l/r2 r 



(10) 



(11) 



l/r2 r 



(12) 



log q log log log g 

log log Q 



So if 



r + r < 0.01- 



log log log g 



(13) 



(14) 



then for m > T 1//4 we have 

r(m) r2+2r < Q°-°H°g2+o(l) _ y0.011og2+o(l) < m 0.04 log 2+o(l) < m l/6^ 

provided that g is large enough. Hence, 



m 
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Furthermore, since fflBl implies that r(m) = T°W for m G AL we see 
that ffl2|) implies that for m > T 1 / 4 , for any r satisfying fflTl) and (|14)) . 
we have 

5(m)«gT 1 - 1 /2^_ 
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Therefore, 

J2 \S(m)\^2^QT 1 - 1 ^ r2r 



meM* 
myT 1 / 4 



< QT 1 - 1 / 24 ^ exp ^(log2 + o(l)) 



log Q log log log Q 
log log Q 



In particular, if we set 

r = [log log log Q\ 



then 



p V( lo g lo gQ) log2+ ° (1) / ' 



Therefore, 

\S(m)\ « QT 1 - 1 /" = (tt(Q)T). (15) 



meM* 
m>T^I 4 



It is also obvious that (Till) is satisfied for the above choice of r. Furthermore, 
the condition ffTTj) is satisfied as well because 

(4Q) r > exp((l + o(l)) log Q log log log Q) 

and 

max m = exp((l + o(l))L) = exp((0.3 + oil)) log Q log log logQ). 

meM 



Substituting (jHj) and ( I15T) in (p), we see that ([5]) holds, which concludes 
the proof. 
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